INFORMATION TECHNOLOGY SECURITY PRACTICES AND PERFORMANCE OF SMALL AND MEDIUM ENTERPRISES IN NAIROBI COUNTY, KENYA
GLADWELL NJOKI MURIGI
D53/OL/CTY/24562/2014
A RESEARCH PROJECT SUBMITTED TO THE SCHOOL OF BUSINESS IN PARTIAL FULLFILLMENT OF THE REQUIREMENTS FOR THE AWARD OF
MASTERS OF BUSINESS ADMINISTRATION DEGREE (MANAGEMENT INFORMATION SYSTEM OPTION) OF KENYATTA UNIVERSITY
DECLARATION
I hereby declare that this project is my original work and has not been presented to any University or Tertiary Institution for examination / assessment.
Signature……….Date………..
Gladwell Njoki Murigi
D53/OL/CTY/24562/2014
Kenyatta University
This research project has been presented for examination with my approval as the appointed University Supervisor.
Signature………. Date………
Ms. Gladys Kimutai
ACKNOWLEDGEMENT
TABLE OF CONTENTS
DECLARATION ... II ACKNOWLEDGEMENT ... III TABLE OF CONTENTS ... IV LIST OF TABLES ... VIII LIST OF FIGURES ... IX ABBREVIATIONS AND ACRONYMS ... X DEFINITION OF TERMS ... XI ABSTRACT... XII
CHAPTER ONE ... 1
INTRODUCTION ... 1
1.1 Background to the Study ...1
1.1.1 Information Technology Security Practices ...2
1.1.2 Small and Medium Enterprises in Nairobi County ...3
1.2 Statement of the Problem ...4
1.3 Objectives of the Study ...5
1.3.1 General Objective ...5
1.3.2 Specific Objectives ...5
1.4 Research Questions ...6
1.5 Significance of the Study ...6
1.6 Scope of the Study...7
1.7 Limitations of the Study ...7
1.8 Organization of the Study ...8
CHAPTER TWO ... 9
LITERATURE REVIEW ... 9
2.2 Theoretical Review ...9
2.2.1 Systems Theory ...9
2.2.2 General Deterrence Theory ... 10
2.3 Empirical Review ... 12
2.3.1 Performance of Small and Medium Enterprises ... 12
2.3.2 Information Technology Policies and Performance of SMEs ... 13
2.3.3 Information Technology Awareness and Training and Performance of SMEs ... 15
2.3.4 System Monitoring and Maintenance and Performance of SMEs ... 16
2.3.5 Access Control and Performance of SMEs ... 17
2.4 Summary of the Literature Review and Research Gap ... 19
2.6 Conceptual Framework ... 20
CHAPTER THREE ... 22
RESEARCH METHODOLOGY ... 22
3.1 Introduction ... 22
3.2 Research Design ... 22
3.3 Target Population ... 22
3.4 Sampling and Sample Size ... 23
3.5 Data Collection Instruments ... 24
3.6 Data Collection Procedures ... 24
3.6.1 Pilot Test ... 25
3.6.2 Validity ... 25
3.6.3 Reliability ... Error! Bookmark not defined. 3.7 Data Analysis and Presentation... 26
4.2 Response Rate ... 27
4.3 Sample Characteristics ... 27
4.3.1 Gender of the Respondents ... 28
4.3.2 Respondents’ Age Bracket... 28
4.3.3 Respondents’ Highest Education Level ... 29
4.3.4 Duration of Business Operation ... 30
4.4 Information Technology Policies ... 31
4.4.1 Formal Information Technology Policies in Businesses ... 31
4.4.2 IT Policies and Performance of SMEs ... 33
4.4.3 Aspects of Information Technology Policies ... 34
4.4.4 Influence of IT policies on Performance of SMEs ... 35
4.5 Information Technology Awareness and Training ... 36
4.5.1 Training on Information Technology Security ... 36
4.5.2 IT Awareness and Training and the Performance of SMEs ... 37
4.5.3 Aspects of Information Technology Awareness and Training ... 38
4.5.4 Influence of IT Awareness and Training on the Performance of SMEs ... 39
4.6 System Monitoring and Maintenance... 39
4.6.1 Monitoring and Maintaining Information Technology Systems... 39
4.6.2 Frequency of Monitoring and Maintaining Information Technology Systems ... 40
4.6.3 System Monitoring and Maintenance and the Performance of SMEs ... 41
4.6.4 Aspects of System Monitoring and Maintenance ... 42
4.6.5 Influence of Security Monitoring and Maintenance on the Performance of SMEs ... 43
4.7 Access Control ... 44
4.7.1 Access Control Enhances Information Technology Security ... 44
4.7.3 Experience of Unauthorized Access in the last one year... 46
4.7.4 Measures of Access Control ... 47
4.7.5 Influence of Access Control on the Performance of SMEs ... 48
4.8 Performance of SMEs... 48
4.9 Regression Analysis ... 49
CHAPTER FIVE... 53
SUMMARY, CONCLUSIONS AND RECOMMENDATIONS ... 53
5.1 Introduction ... 53
5.2 Summary ... 53
5.2.1 Information Technology Policies ... 54
5.2.2 Information Technology Awareness and Training ... 55
5.2.3 System Monitoring and Maintenance ... 55
5.2.4 Access Control ... 56
5.3 Conclusion ... 57
5.4 Recommendations ... 58
5.5 Suggestions for Further Studies ... 60
REFERENCES ... 61
APPENDICES ... 68
Appendix I: Introduction Letter ... 68
LIST OF TABLES
Table 4. 1: Influence of IT Policies on Performance of SMEs ... 33
Table 4. 2: Aspects of Information Technology Policies ... 34
Table 4. 3: Frequency of Monitoring and Maintaining Information Technology Systems ... 41
Table 4. 4: Aspects of System Monitoring and Maintenance ... 43
Table 4. 5: Access Control Measures Adopted to Enhance Information Technology Security .... 45
Table 4. 6: Aspects of Access Control ... 47
Table 4. 7: Performance of SMEs ... 48
Table 4. 8: Regression Coefficients ... 49
Table 4. 9: Model Summary ... 51
LIST OF FIGURES
Figure 2. 1: Conceptual Framework ... 21
Figure 4. 1: Respondents’ Gender ... 28
Figure 4. 2: Respondents’ Age Bracket ... 29
Figure 4. 3: Respondents’ Highest level of Education ... 30
Figure 4. 4: Duration of Business Operation ... 31
Figure 4. 5: Formal Information Technology Policies in Businesses ... 32
Figure 4. 6: Training on Information Technology Security ... 36
Figure 4. 7: IT Awareness and Training and the Performance of SMEs ... 37
Table 4. 8: Aspects of Information Technology Awareness and Training ... 38
Figure 4. 9: Monitoring and Maintaining Information Technology Systems ... 40
Figure 4. 10: System Monitoring and Maintenance and the Performance of SMEs ... 42
Figure 4. 11: Access Control Enhances Information Technology Security ... 44
ABBREVIATIONS AND ACRONYMS
GDP: Gross Domestic Product GDT: General Deterrence Theory GoK: Government of Kenya
ICT: Information Communication and Technology IS: Information System
ISS: Information Systems Security IT: Information Technology
NCBDA: Nairobi Central Business District Association PWC: Price Water-House Coopers
ROA: Return on Assets ROE: Return on Equity
SETA: Security Education, Training, and Awareness SMEs: Small and Medium Enterprises
SQL: Structured Query Language UK: United Kingdom
UN: United Nations
DEFINITION OF TERMS
Information Technology Policies: They define common processes, procedures, roles and responsibilities should be followed by employees within an organization
Awareness: This refers to creation of a sense of familiarity so that an individual be able to carry out their tasks with the required knowledge
Training: These are strategies that develop, maintain, and improve the operational readiness of individuals or units within the organization
Performance: This is the alignments of business units in an organization with an aim of ensuring the organization’s goals are met in terms of sales
volume, profitability and customer satisfaction
System Monitoring and Maintenance: Planning and executing processes such as testing, repairing and other minor modifications that will result in improved functionality
ABSTRACT
CHAPTER ONE INTRODUCTION
1.1 Background to the Study
In the current stiff and tough business environment, business organizations such as small and medium enterprises require information systems to track their business activities, right from business planning to product or service delivery. Due to huge order-turnovers, tracking the number of resources in an organization and monitoring the overall business performance has in the recent past become a challenge to many organizations. This has resulted in the adoption of technology which has been a challenging activity to many SMEs in this era. This is as a result of the increasing competitive markets, increasing supply chain dependency and increasing need to improve the customer base (Casaca, 2014).
Information systems (IS), Information Communication technologies (ICT) and the vast use of the Internet has enabled organizations to rely on computers as media for creating, processing, managing and transmitting sensitive business information. However, this use of IS / ICT and the Internet at large exposes the information assets to attacks, flaws and vulnerabilities, ranging from computer frauds, espionage, sabotage, and vandalism to other incidents, such as fire or floods. The risks are identical for both big firms and for SMEs . Beachboard , (2008).
1.1.1 Information Technology Security Practices
A positive information security culture enhances information security as it can aid in reducing the people threat when working with IT systems (Ngura, Kimwele & Rotich, 2015). Highlighting the importance of information security risks are recent numbers from Australia, USA and UK, which indicate that the abuse and misuse of the internet by employees gives rise to 50 percent of internet incidents. Owing to this finding, a survey in Australia found out that 40 percent of the interviewed companies pointed out information security as a main point of concern (AusCert, 2005). Employees unintentionally trigger information security risks e.g. by unknowingly accepting spam emails, downloading virus containing attachments or simply ignoring information security warnings (Besnard and Arief 2004).
An article titled “threat within” by McAfee (2005), indicated that; 21 percent of workers permitted friends and family to use company personal computers and laptops to access the internet; 51 percent connected their devices such as phones and flash disks to the company PCs, 60 percent stored personal information on the company computers while 10 percent downloaded prohibited material at the work place. This results in high exposure of the company information to risk.
Glibly, Upfold and Sewry (2008) carried out an investigation of information security in small and medium enterprises (SME’s) in the Eastern Cape. The study used a survey research design. The results of the survey revealed that the level of information security awareness amongst SME leadership is as diverse as the state of practice of their information systems and technology. Although a minority of SME’s do embrace security frameworks, most SME leaders have not
According to ISACA (2009) due to the popularity of electronic commerce, many organizations are facing security challenges. Enterprises too often view information security in isolation: the perception is that security is someone else’s responsibility and there is no collaborative effort to
link the security program to business goals. This leads to weaknesses in security management which results in serious exposure.
In Kenya, a firm with ten or less workers is known as a micro-enterprise, while those with between ten to fifty workers are called small enterprises. Medium enterprises consist of 51 employees to a hundred workers. According to GoK, enterprises with between one and fifty employees are defined as SMEs whether informal or formal. SME growth can be enhanced by adapting Information Communication Technology (ICT). SME evolution in relation to information security relies on the use of ICT. The protection of information in an organization as well as protection of the hardware and systems used to store, manufacture and send this information is known as Information Security (Casaca, 2014).
Over the last several decades, managers have become alive to the fact that information systems and information are vital organizational resources (Mochoge, 2013). Ngura, Kimwele and Rotich (2015), state that data security is vital to a firm’s operation. When data is not properly stored, manufactured and relayed, operations will be affected and thus resulting in serious effects to trading.
1.1.2 Small and Medium Enterprises in Nairobi County
various sectors ranging from the informal sector, banking, retail, farming among others (Krop, 2014).
It is estimated that Nairobi County hosts 5 million micro and small scale traders offering employment to 8 million people. According to Nairobi County government as cited by Mochoge (2014), there are 30,252 registered SMEs in Nairobi County. Analysis by county shows that Nairobi County recorded a 5.4 percent increase in job creation in 2011 in the SMEs sector (ROK, 2012). Like in any other part of the country SMEs in Nairobi have a short life span and do not go beyond the third anniversary (ROK, 2012).
1.2 Statement of the Problem
SMEs play a major role in the economy of developing countries. In the year 2012, SMEs contributed about 70 percent to the country’s GDP. In addition, the SME sector in Kenya generates over 80 percent of the Nation’s work force with many of the new jobs originating from this sector (GoK, 2012).
According to Sharu and Guyo (2015), small and medium enterprises in Kenya have a short life span and face major hurdles resulting to 60 percent performance failures within the initial three years from inception. According to Ngura, Kimwele and Rotich (2015) SMEs are more exposed to information security risks. Consequently, a United Nations (UN) report stated that this exposure to risks results in poor performance and a high mortality rate. High mortality rate for the SMEs leads to unemployment and thus reduced economic development for a nation (GoK, 2013)
organizations is not thorough due to inadequate support from the management. This shows that there is still a lot that needs to be done in order to secure information held by Kenyan SMEs.
In Portugal, Casaca (2014) conducted a study on what determines effectiveness of the information security in small and medium sized enterprises. In Europe and USA, Dimopoulos (2014) conducted a study on the approaches of information technology security among SMEs. In Kenya, Mochoge (2013) did a study on the factors affecting the implementation of strategic information systems among small and medium companies. However, despite the immense enquiry into information security, none of these studies has been done to analyze information technology security practices in small and medium enterprises. This study was aimed at filling this gap by investigating the influence of information technology security practices on performance of small and medium enterprises in Nairobi County.
1.3 Objectives of the Study
1.3.1 General Objective
The general objective of this study was to investigate on the influence Information Technology Security Practices on performance of small and medium enterprises in Nairobi County.
1.3.2 Specific Objectives
The specific objective of this study was:
iii. To determine how system monitoring and maintenance influences the performance of small and medium enterprises in Nairobi County
iv. To establish the influence of access control on the performance of small and medium enterprises in Nairobi County
1.4 Research Questions
This study sought to answer the following research questions;
i. How do information technology policies influence the performance of small and medium enterprises in Nairobi County?
ii. How does information technology awareness and training influence the performance of small and medium enterprises in Nairobi County?
iii. How does system monitoring and maintenance influence the performance of small and medium enterprises in Nairobi County?
iv. How does access control influence the performance of small and medium enterprises in Nairobi County?
1.5 Significance of the Study
This study’s findings are of benefit to a number of stakeholders in the information technology
SMEs are important pillars of Kenya's economy. Therefore, to the GoK and policy makers; the study provides important information that is essential in making policies that enhance technology security among small and medium enterprises in an effort to improve their performance. The study provides information that can be used in formulating policies to shelter other stakeholders like consumers.
The study improves other researchers’ knowledge pertaining information technology security practices and performance of SMEs. The study also offers a platform for other researches on various information technology security practices used by small and medium enterprises and how they influence their performance.
1.6 Scope of the Study
This study only focused on 1,221 SMEs in the hotel sector in Nairobi County. In addition, the study targeted the owners or the managers of the SMEs. SMEs are considered to be businesses that employ between 5 and 50 employees. The sample size of this study was 292 SME owners or managers. This process was undertaken over a period of one month.
1.7 Limitations of the Study
1.8 Organization of the Study
CHAPTER TWO LITERATURE REVIEW
2.1 Introduction
Reviews of literature on effects of information technology security practices on SMEs performance are presented in this chapter. It starts off with a theoretical review then the empirical review, a summary of review of literature and the conceptual framework.
2.2 Theoretical Review
The section reviews relevant theories and models that support the effects of information security practices on SMEs within Nairobi County. The theories are systems theory and the general deterrence theory.
2.2.1 Systems Theory
Systems theory dates back to the 1940s when Bertalanffy began to connect systems theory with wholeness. According to systems theory, a system essentially consists of objects (physical or logical), attributes that describe the objects, relationships among the objects and the environment in which the system is contained. Systems theory treats organizations as open systems. Open systems are systems that are affected by the environment (Bertalanffy, 1968).
A system may show characteristics that are not related to individual system characters. These are known as emergent properties. Security, a frequent emergent property in a system, is not directly pegged to a specific component but is caused by the interaction of a number of components as they try to attain the desired result (Alter, 2015). Failure of enterprises to adequately address security issues in recent years is due to their inability to define security and present it in a way that is logical and relevant to all stakeholders (ISACA, 2009)
Designing security solutions for today's computer systems is a challenge. The modern business environment is made up of many different applications such as e-mails, databases, e-commerce, and more. Each of these applications has its own threat profile and associated business risk that must be taken into account (ISACA, 2009)
Current methodologies for designing security systems include piecemeal designs and patchwork systems comprised of multiple point solutions. As the complexity of the business driven systems increase, these methods are being strained to keep up with security requirements. Analysis and design of security systems using systems theory provides a new path to reduce the complexity (ISACA, 2009)
2.2.2 General Deterrence Theory
Darcy and Hearth (2011) define counter measures as collection of organizational devices that are used to prevent or point out a security breach. This enhances the appropriateness of GDT due to its dimensions; detection, prevention, remedy and deterrence. It is an origin of criminology and some of its early work includes examining deterrence, detection, prevention and using remedies to influence crime rates. It mitigation can be used to reduced risk by use of deterrence remedy and detection techniques.
Quackenbush (2010) the aim of security efforts is to prevent the occurrence of computer abuse. Majority of organizations do not take systematic approaches to detect abuse of computers. Johnson, Leeds and Wu (2015) agreed that purposeful detection requires understanding the role of detection activities to identify breaches. They also noted that computer abuse detection is noted through normal system use as opposed to accidental or purposeful investigation.
Lijiao (2014) remedy efforts were explored in terms of internal and external sanctions. Internal remedy is applicable to business partners or colleagues. An external remedy on the other hand includes issues such as filing of police reports, indictment, prosecution and conviction. They serve as recourse against outsiders in an organization. The main aim of deterrent efforts is to offer disincentives for probable computer abusers so as to prevent them from abusing computers. This can be done through employee training, administrative policies and visible security functions (Lijiao (2014).
strategically to reduce the impact on a company's operations and at the same time offering protection to the firm.
The process of trying to point out breaches in security in an organization is known as detection. Lee, Lee and Yoo (2004) discovered the three methods of pointing out computer abuse which include purposeful detection activities, accidental discovery and discovery through internal systems controls.
2.3 Empirical Review
2.3.1 Performance of Small and Medium Enterprises
As Taylor and Taylor (2014) highlight, effectiveness relates to how the demands of the various interested parties in a firm have been reached while efficiency relates to the way that a firm’s assets are used in production with little or no wastage to the resources availed. To gain a competitive advantage, every firm has to make its future results attainable through greater satisfaction of the stakeholders and minimal wastage of resources compared to their competitors (Shin, 2015).
According to Tomsic, Bojnec and Simcic (2015), performance is specifically comprised of three major fields of the organization results, which include the use of the assets to generate revenues, (profits, return on assets, return on investment, etc.); the amount of output (sales, market share); and gains of the investor from the investment (total shareholder return, economic value added). According to Mutandwa, Taremwa & Tubanambazi (2015), a business organization ought to measure its performance using both financial and non-financial standards.
or the balance sheet. In any organization, an individual staff’s degree of utilizing the organization’s resources to generate revenue should be measured and verified. Apart from the
objective measures that can be quantified and verified (financial measures), there is need to include measures of performance that are not financially oriented also known as the subjective measures of performance, so as to have a rounded measurement of performance. (Taylor & Taylor, 2014).
In this study the financial oriented indicators such as Return On Assets (ROA), sales growth, Return On Equity (ROE) and profitability growth together with non-financial factors such as employee growth, satisfaction with execution compared to other similar businesses customer satisfaction and overall satisfaction was used to assess the SMEs.
2.3.2 Information Technology Policies and Performance of SMEs
A policy gives explanations on matters like threats and it details what should one do in case one occurs. Procedures and mechanisms of safeguarding of the company’s information should also included in the policy (Sharma, Bhagwat & Dangayach, 2008).
started; the duration within which the firm has been using computers; awareness and sensitization level of the employees on the application of the information systems; as well as the level at which the SME offers reliable and proper security training. The study also established that information security policies are important in attaining a continuous method for improving the organization’s information security (Kimwele, Mwangi and Kimani, 2011)
The main of Information Technology policies is controlling the accessibility of information where the rules and regulations of the company apply in the control. It also ensures the reliability and the authenticity of the information gotten from the company. The policy makes sure that the information can be easily accessed by the people who are authorized to access it when they need it. In an aim of determining the impact of information system security policies and controls on firm operation enhancement for Kenyan Small and Medium Enterprises, Ogalo (2012) conducted a study in Kisumu central business district where he surveyed a targeted population of 481 SMEs in Kisumu. In his findings, he discovered the need for organizations to create strategies that give importance to ICT infrastructure investment and management. After formulating the strategies there follows the establishment of directions on putting into action and controlling them. In addition, regular checkups are important for early detection of any problem that may arise and adversely affect the ICT programs (Ogalo, 2012)
2.3.3 Information Technology Awareness and Training and Performance of SMEs
The impact of Information Technology systems is seen through the involvement of people with information technology. Behavior is having people behave in a particular way and this is what information security is mainly made up of according to Tidwell (2013). The need for security tools has increased over the years and ICT specialists have tried to automate very many security processes but some are not yet automated and others may not be automated. Technologies to provide security sorely depend on the way they are implemented and operated by human beings. Therefore, the people in an organization determine the degree of security of the company. Adequate training is required for people as they deal with ICT systems as they appear to be most unreliable link in information security (Dinev & Qing, 2007).
Darcy, Hovav and Galletta (2008) conducted a study on the knowledge of a user when dealing with a security threat and the effect it has on the misuse of information systems. The study presented criminology, social psychology and information systems combined in one theory model. From the model, it was assumed that sensitization of a user of security threats has direct effect on the perceived confidence and the threats of organizational sanctions associated with IS misuse, which leads to reduced IS misuse intention. The model was piloted on 269 computer users from eight different companies. The results from the excercise revealed that three practices discourage IS misuse: user awareness of security policies; security education, training, and awareness (SETA) programs; and computer monitoring.
this situation becomes completely unreliable. Practitioners have the responsibility to link the knowledge of the user and the correct behavior needed from them. Education should be on what is supposed to be done as well as why it is being done. They users will then be able to at least reduce the impact of any threat that appears. Beachboard , (2008)
2.3.4 System Monitoring and Maintenance and Performance of SMEs
The foundation of proper handling of information systems is continuously checking the function ability of the key areas (Vijayakumar & Ilangovan, 2015). It appears to be very boring and un creative job and most specialists in IT have no time for but it is very important. Skipping of regular check- ups can result to break down of the systems, time wastage and data loss. Beachboard, (2008). Attending to the information systems from time to time can save the organization from occurrences that can negatively impact on it if they happen. Keeping a timetable of the maintenance of the information systems is an important factor in keeping the entire system healthy. Regular monitoring and preventive measures of systems is very crucial so as to assure smooth operation of the IT systems (Yeniman , 2011).
Periodically checking the information systems for deficiencies through control points is what monitoring and preventative maintenance service includes (period of diagnosis depends on customer requirements) (Vijayakumar & Ilangovan, 2015). The periodic checking may consist of automatic observation of key indicators of the state of the information systems; regular procedural maintenance of equipment in the field within a given schedule; and detailed report on the state of the system. Monitoring and preventative maintenance service also comprises of immediate reporting to the customer’s specialists in case of divergence from the normal system
A combination of routine check up and the series of changes in the system development cycle is required to establish if the security controls in the information system continue to be reliable even after the unavoidable changes that are done to the system as well as in the environment in which it operates (Vijayakumar & Ilangovan, 2015). A Security Life Cycle defines the requirements for a continuous monitoring process. A routine monitoring program enables an organization to follow the security condition of an information system on a regular basis; and maintain the security authorization for the system. As changes occur in an information system and its environs, it is the duty of the information owner to make sure that the system authorization remains current, and updates the critical security documents (Cholez & Girard, 2014).
2.3.5 Access Control and Performance of SMEs
Computer security involves ensuring that the data in a system is unavailable to people who are unauthorized to get into contact with it and protecting the computer from destruction. System users, security practitioners, administrative personnel and system operations personnel aim at striking a balance between security and productivity because some security controls slow down productivity (Rui-Feng, Ning & Yu, 2012).
Preventive controls decrease free usage of computing resources and hence can only be used to a degree acceptable to the users. Effective training on security programs is therefore needed as it helps in improving the level of tolerance among the users as they are able to understand the importance of such controls in making it possible for them to trust their computing systems (Upfold & Sewry, 2008). Examples of preventive controls include access control software, antivirus software, encryption, library control systems, smart cards, passwords, callback systems and dial-up access control and (Cholez & Girard, 2014). Preventive technical controls hinder unauthorized people or programs from getting reach to the computing resources. This is done using safeguards integrated in the tangible and intangible computer components, operations or applications software, communication hardware and software together with other related components. Detective controls tools include intrusion detection methods, audit trails and checksums.
Physical security is controlling the access to computers, related materials and objects (including utilities) and the processing facility itself by use of locks, alarms, security guards, badges, and other related measures. More so, mechanisms to secure computers from destruction from either fire, water, natural disaster including floods and earthquakes, or physical theft by people and its related equipments and contents from espionage are a requirement (Vijayakumar & Ilangovan, 2015). Biometric access, file backups, and security guards are examples of physical measures applicable in controlling who enters the areas with computers and related equipments.
mechanisms designed to make sure that proper authorizations and security clearances are given to the people allowed to access the computing resources. Examples of preventive administrative controls include separation of duties, procedures for hiring and firing personnel, registration of people who are authorized to get access to computers, security policies and guidelines as well as supervision, disaster recovery, contingency, and emergency plans (Rui-Feng, Ning & Yu, 2012).
Upfold and Sewry (2008) found that only 52 percent of the respondents used custom user accounts and passwords in their firms in an investigation of Information Security in Small and Medium Enterprises in the Eastern Cape. This sends a red signal considering that user accounts and passwords are the only way of enforcing controlled access to resources. At start-ups, these enterprises have limited resources and mostly use unreliable systems mostly without proper regulations on the accessibility. With time the SMEs managers must restrict system access. There is therefore need to introduce a central unit of controlling users so as to ensure that the employees adhere to the basic security procedures e.g. individual accounts logons and passwords.
2.4 Summary of the Literature Review and Research Gap
As applied to information technology security, the general deterrence theory suggests that threats can be mitigated through the use of deterrence, prevention, detection, and remedy techniques. This is because; wrongful activities can be controlled by the threat of sanctions.
The literature above shows that the process of risk mitigation associated with information security requires a detailed and standardized information security policy. Policies define issues such as information security threats and their countermeasures. They also define roles and responsibilities of all the employees in an organization in relation to information technology security. Information security policy specifies the systems, tools and procedures necessary in protecting information in an organization. The literature also shows that Information Technology systems are dependent on people and hence awareness and training are key in enhancing security. In addition, timely routine monitoring and maintenance of information systems is a key to health of the whole IT infrastructure.
2.6 Conceptual Framework
Independent Variables Dependent Variable
Figure 2.1: Conceptual Framework Source: Author (2017)
Information Technology Policy Back up policy
Policies on access control Policies on sharing, storing and
transmitting of data
Privacy and confidentiality policy
Awareness and Training
Security training and education Communication channels Frequency of training
Security Monitoring and Maintenance Frequency of maintenance
Inspection procedures
Access Control Passwords
Biometric access controls Smart cards
Performance of Small and Medium Enterprises
Sales volume Profitability
CHAPTER THREE RESEARCH METHODOLOGY
3.1 Introduction
This chapter presents the research design, target population, sample size and sampling technique, data collection instruments, data collection procedure, pilot test and data analysis and presentation.
3.2 Research Design
This study used descriptive research design. Descriptive research design involves data collection, description of occurrences and thereafter organizes, depicts, tabulates and describes the data. According to Greener (2008), descriptive design is used to answer the research questions of the subject being studied after gathering the required data. The descriptive research design allows the researcher to make use of both the qualitative and quantitative data in gathering data and behaviors of the population or the event that the study is dedicated.
3.3 Target Population
3.4 Sampling and Sample Size
The study’s sample size was determined by use of Krejcie and Morgan formula (Kothari, 2004). It is common practice for most studies for the confidence level to be at 95 percent and a precision +/- 5 percent. This was adopted in the study. The population for this study was 1,221. Therefore for the sample size at 95 percent confidence level, the following formula was applied.
Where;
N= sample size
X2 = Chi-square for 95 percent confidence level at 1 degree of freedom N=Population size
P= Population proportion
ME=Desired margin of error (expressed as a proportion)
n=292 SME owners or managers.
3.5 Data Collection Instruments
Self -administered questionnaires with unstructured and structured questions were used in the study in collecting primary data. The questionnaire explained the problem of the study together with its objectives and it contained both the open -ended questions and the closed ended questions. Only a particular type of response was required from the closed ended while the open- ended type, gave the respondents’ the freedom to express their views. To be economical in terms of time, energy and finances, self-administered questionnaires were preferred in this study (Cooper & Schindler, 2006). The structured questions were utilized in order to save money and time and simplify the analysis as structured questions are usually in quantitative form. Unstructured questions were also used
3.6 Data Collection Procedures
3.6.1 Pilot Test
The questionnaires were randomly administered to 10 percent of the sample size who were not included in the main study. Pilot testing assisted in anticipating how the performance of the research instruments would be and identifying an easy way of administering them.
Testing of the questionnaire with a selected sample of SMEs in Nairobi County was a measure of ensuring the reliability of the research instrument. Cronbach’s Alpha value ranges between 0 and 1 was used to apply an internal consistency technique. Coefficient of between 0.6 and 0.7 is a commonly accepted rule of thumb that indicates acceptable reliability. In addition, a Cronbach’s Alpha of 0.8 or higher indicates good reliability (Mugenda & Mugenda, 2003). The data from the pilot test was not included in the actual study. In this study, Alpha value was 0.82
3.6.2 Validity
3.7 Data Analysis and Presentation
The questionnaires in this study generated both qualitative and quantitative data. Qualitative data from open ended questions was analysed by use of thematic content analysis. Quantitative data was analyzed by use of inferential and descriptive statistics using Statistical Package for Social Sciences (SPSS version 22). Descriptive statistics such as frequency, mean, percentages and standard deviation were used in this study. Further, multiple regression analysis was used to investigate the relationship between the dependent (performance of SMEs) and the independent variables (information technology policies, awareness and training, access control and system monitoring and maintenance). The regression model in this study was;
Y = β0 + β1X1 + β2X2 + β3X3 + β4X4+ε
Whereby Y = Performance of SMEs
X1 = Information technology policies
X2 = Information technology awareness and training
X3 = System monitoring and maintenance
X4 = Access control
CHAPTER FOUR
RESEARCH FINDINGS AND DISCUSSIONS 4.1 Introduction
This chapter covers the analysis of both qualitative and quantitative data as well as the interpretation of the findings. The main objective of this study was to investigate the effect of information technology security practices on the performance of small and medium enterprises in Nairobi County. The study also sought to establish how information technology policies, information technology awareness and training, system monitoring and maintenance as well as access control influence the performance of SMEs in Nairobi County.
4.2 Response Rate
The study had a sample size of 292 SME owners in the hotel sector in Nairobi County. Out of 292 questionnaires given, 264 responses were obtained, which gave a rate of 90.41 percent. A 100 percent response rate was not achieved as some of the questionnaires had some inconsistent information and some were half way filled and thus could not be used in the study. Kothari (2004) indicates that a 50 percent or more response rate is sufficient and satisfactory for analysis, which shows that 90.41 percent was an acceptable basis for drawing conclusions.
4.3 Sample Characteristics
4.3.1 Gender of the Respondents
The hotels’ owners and managers were requested to specify their gender. The findings were as
presented in Figure 4.1.
Figure 4. 1: Respondents’ Gender Source: Research Data (2016)
As indicated in Figure 4.1, 54.5 percent of the hotel owners and managers were male while 45.5 percent indiacted were female. This implies that the male hotel owners in Nairobi County were more than female hotel owners.
4.3.2 Respondents’ Age Bracket
Figure 4. 2: Respondents’ Age Bracket Source: Research Data (2016)
As per Figure 4.2, 39.8 percent of the hotels’ owners and managers were aged between 36 and 45 years, 32.2 percent were above 46 years of age, 26.9 percent indicated that their age was between 25 and 35 years and 1.1 percent were below 25 years of age. This implies that most of the hotel owners / general managers in Nairobi County were above 36 years of age.
4.3.3 Respondents’ Highest Education Level
Figure 4. 3: Respondents’ Highest level of Education Source: Research Data (2016)
From the findings, 59.8 percent of the hotel owners and managers had bachelor’s degree as their highest education level, 29.5 percent indicated that they had diplomas and 10.6 percent indicated that they had postgraduate degrees. This infers that most (59.8 percent) of the hotel owners and managers in this study had bachelor’s degree as their highest education level.
4.3.4 Duration of Business Operation
The hotels’ owners and managers were also queried on how long their businesses had been in
Figure 4. 4: Duration of Business Operation Source: Research Data (2016)
According to the findings, 36.4 percent of the hotels’ owners and managers reported that their business had been in operation for between 5 and 7 years, 30.3 percent indicated for between 2 and 4 years, 27.3 percent indicated for over 7 years and 6.1 percent indicated for less than 2 years. This shows that most of the hotels involved in this study had been in operation for more than 5 years and hence they had adopted information technology in their business operations.
4.4 Information Technology Policies
The first objective of the study was to establish how information technology policies influence performance of SMEs in Nairobi County.
4.4.1 Formal Information Technology Policies in Businesses
Figure 4. 5: Formal Information Technology Policies in Businesses Source: Research Data (2016)
Research findings in Figure 4.5 indicate that 61.36 percent of the hotels owners and managers had formal information technology policies in their businesses while 38.64 percent disagreed. This suggests that most of the hotels in Nairobi County had formal information technology policies.
From the hotels’ owners and managers who indicated that their businesses had formal
that information security policy specifies the tools, system and procedures necessary in the protection of information in an organization.
4.4.2 IT Policies and Performance of SMEs
The hotels’ owners and managers were asked to indicate the extent to which information
technology policies influence the performance of SMEs in Kenya. The results were as shown in Table 4.1.
Table 4. 1: Influence of IT Policies on Performance of SMEs
Frequency Percent
No extent at all 1 .4
Moderate Extent 46 17.4
Great Extent 153 58.0
To a very Great Extent 64 24.2
Total
Average 66
264 100.0
Source: Research Data (2016)
4.4.3 Aspects of Information Technology Policies
The hotels’ owners and managers were further asked to indicate the extent to which various aspects of information technology policies influence the performance of SMEs in Kenya. A scale of 1 to 5 was used where 1 represents no extent at all, 2 represents low extent, 3 represents moderate extent, 4 represents great extent and 5 represents very great extent.
Table 4. 2: Aspects of Information Technology Policies
Aspects Mean Std. Deviation
Back up policy 3.704 1.111
Policies on access control 3.477 1.035
Policies on sharing, storing and transmitting of data 3.723 1.128 Privacy and Confidentiality policy 3.977 .849
Average 3.72 1.03
Source: Research Data (2016)
From the findings, the hotels’ owners and managers indicated with a mean of 3.977 and a
managers also indicated with a mean of 3.477 and a standard deviation of 1.035 that policies on access control influences his performance of SMEs in Kenya to a great extent.
4.4.4 Influence of IT policies on Performance of SMEs
The hotels’ owners and managers were further asked to indicate how else information
technology policies influence the performance of SMEs in Kenya. From the findings, the respondents indicated that information technology policies help in e-Marketing, access to business finance, e-commerce, like Business to Consumer and Business to Business and Business Branding. When perceived as secure a business can form collaboration with other businesses. In addition, the management can track efficiency and productivity of each member of staff and use this information to increase salary and wages and also award promotions. The management can mitigate risks like fraud caused by employees and outsiders. IT policies can also be used to define acceptable use of social media as a marketing strategy in order to give the business an edge over its competitors.
In addition, the hotels’ owners and managers indicated that IT leads to increased company output
4.5 Information Technology Awareness and Training
The second objective of the study was to find out the influence of information technology awareness and training on the performance of small and medium enterprises in Nairobi County.
4.5.1 Training on Information Technology Security
The hotels owners and managers were queried on whether they or any of their staff had received training on information technology security. The results were as shown in Figure 4.6.
Figure 4. 6: Training on Information Technology Security Source: Research Data (2016)
security. These findings concur with Dinev and Qing (2007) findings that IT security awareness and training influences organizational performance.
4.5.2 IT Awareness and Training and the Performance of SMEs
The hotels owners and managers were requested to show the extent to which awareness and training on information technology security influences the performance of SMEs in Kenya. The results were as shown in Figure 4.7.
Figure 4. 7: IT Awareness and Training and the Performance of SMEs Source: Research Data (2016)
findings agree with Darcy (2008) who highlights the importance of training in enhancing information technology security, as it plays a major role in organizational performance.
4.5.3 Aspects of Information Technology Awareness and Training
The hotels’ owners and managers were also requested to show the extent to which various components of information technology awareness and training influence the performance of SMEs in Kenya.
Table 4. 8: Aspects of Information Technology Awareness and Training
Mean Std. Deviation
Security training and education 4.075 .886
Communication channels 4.136 .684
Frequency of training 3.939 .900
Average 4.05 .0823
Source: Research Data (2016)
As indicated in Table 4.8, the hotels’ owners and managers indicated with a mean of 4.136 and a standard deviation of 0.684 that communication channels influence the performance of SMEs in Kenya to a great extent. The hotels’ owners and managers also indicated with a mean of 4.075
and a standard deviation of 0.886 that security training and education influences the performance of SMEs in Kenya to a great extent. This is in agreement with Beachboard (2008) argument that education and training is key in ensuring the information technology security of an organization. Further, the hotels’ owners and managers indicated with a mean of 3.939 and a standard
great extent. These findings agree with Darcy (2008) that frequency of training plays a major role in enhancing information technology security and hence organizational performance.
4.5.4 Influence of IT Awareness and Training on the Performance of SMEs
The hotels’ owners and managers were requested to indicate other ways in which information
technology awareness and training influences the performance of SMEs in Kenya. From the findings, the respondents indicated that it makes it easy for them to collect, store and access the business data. Also, information technology awareness and training helps in computerizing operations and leads to increased awareness by capitalizing on the advantages of cyber advertising which could increase company productivity. Further, IT awareness and training is attractive to sophisticated personnel that tend to have a positive contribution to the diversity in skill level in the organization. In addition, it gives businesses a platform to exchange information on perceived threats in a particular industry and take steps to mitigate the risks. These findings are in line with Tidwell (2013) that training and awareness improves employee knowledge on various types of threats and ways of mitigating against them. It also provides a platform to engage with industry player and discuss on the most appropriate hardware and software to mitigate these risks.
4.6 System Monitoring and Maintenance
The third objective was to determine how system monitoring and maintenance influences the performance of SMEs in Nairobi County.
Figure 4. 9: Monitoring and Maintaining Information Technology Systems Source: Research Data (2016)
As indicated above, 85.6 percent of the hotels’ owners and managers indicated that their businesses monitor and maintain their information technology systems while 14.4 percent disagreed. This implies that most hotels in Nairobi County monitor and maintain their information technology systems. These findings concur with Ogalo (2012) findings that constant periodic assessment of information and communication technology risk is important in the identification of emerging threats that can have negative effects in information and communication technology assets utilization and operations.
4.6.2 Frequency of Monitoring and Maintaining Information Technology Systems
The hotels’ owners and managers were further asked to indicate how often they monitor and
Table 4. 3: Frequency of Monitoring and Maintaining Information Technology Systems
Frequency Percent
Every week 72 31.9
Once in 1 year 49 21.7
Every 6 months 73 32.3
Once in 1 year 8 3.5
When there is a perceived threat 24 10.6
Total 226 100.0
Average 53.2
Source: Research Data (2016)
As potrayed in Table 4.3, 32.3 percent of the hotels’ owners and managers indicated that their businesses were monitoring and maintaining their information technology systems every six months, 31.9 percent indicated every week, 21.7 percent indicated once a year, 10.6 percent indicated when there is a perceived threat and 3.5 percent indicated once a year. This implies that majority of the hotels in Nairobi County were monitoring and maintaining their information technology systems every six months.
4.6.3 System Monitoring and Maintenance and the Performance of SMEs
The hotels’ owners and managers were asked to specify the extent to which system monitoring
Figure 4. 10: System Monitoring and Maintenance and the Performance of SMEs Source: Research Data (2016)
As shown in Figure 4.10, 45.5 percent of the hotels’ owners and managers indicated that system monitoring and maintenance influences the performance of SMEs in Kenya to a great extent, the same percent indicated to a very great extent and 9.1 percent indicated to a low extent. These findings imply that system monitoring and maintenance influence the performance of SMEs in Kenya to a great extent. These findings are in line with Vijayakumar and Ilangovan (2015) argument that system monitoring and maintenance helps in identifying risks that can negatively affect the performance of a firm.
4.6.4 Aspects of System Monitoring and Maintenance
The hotels’ owners and managers were queried on the extent to which various components of
Table 4. 4: Aspects of System Monitoring and Maintenance
Mean Std. Deviation
Frequency of maintenance 3.909 .884
Inspection procedures 3.848 .822
Average 3.87 .825
Source: Research Data (2016)
According to the findings, the hotels’ owners and managers indicated with a mean of 3.909 and a standard deviation of 0.884 that frequency of maintenance influences the performance of SMEs in Kenya to a great extent. These findings concur with Yenima (2011) argument that timely information systems’ routine maintenance is important in ensuring the health of the information technology infrastructure. The hotels’ owners and managers also indicated with a mean of 3.848 and a standard deviation of 0.822 that inspection procedures influence the performance of SMEs in Kenya to a great extent.
4.6.5 Influence of Security Monitoring and Maintenance on the Performance of SMEs
The hotels’ owners and managers were requested to indicate how else security monitoring and
business related information which can negatively impact their businesses. Security awareness ensures that all users of information technology systems have a copy of the acceptable user policy and understand their responsibilities. These findings agree with Vijayakumar and Ilangovan (2015) argument that security monitoring and maintenance helps in tracking the security state of the system on a continuous basis and helps in maintaining the its security authorization.
4.7 Access Control
The fourth objective of the study was to establish the influence of access control on the performance of small and medium enterprises in Nairobi County.
4.7.1 Access Control Enhances Information Technology Security
The hotels’ owners and managers were asked to specify whether they thought access control
enhances information technology security. The results were as shown in Figure 4.11.
Source: Research Data (2016)
Per the findings, 97 percent of the hotels’ owners and managers indicated that access control enhances information technology security while 3 percent disagreed. This implies that access control enhances information technology security. These findings agree with Rui-Feng (2012) that access control is the cornerstone of security programs as indicated by most security professionals in information systems.
From the hotels’ owners and managers who indicated that access control enhances information technology security, the study also sought to establish how. The hotels’ owners and managers indicated that access control is considered as a security method, which is normally used in the regulation of who should view or access what in the computing environment. In addition, access control systems perform authorization identification, authentication and access approval. This is done through login credentials such as passwords, physical or electronic keys and biometric scans.
4.7.2 Access Control Measures Adopted to Enhance Information Technology Security
The respondents were also asked to indicate access control measures adopted to enhance information technology security in their businesses. The results were as presented in Table 4.5. Table 4. 5: Access Control Measures Adopted to Enhance Information Technology Security
Frequency Percent
Yes No Yes No
Use of passwords 244 20 92.4 7.6
Source: Research Data (2016)
From the findings, 92.4 percent of the hotels’ owners and managers indicated that their businesses had adopted use of passwords to enhance information technology security in their businesses, 47 percent indicated that they had adopted biometric access controls and 60.6 percent indicated that they had adopted smart cards. This shows that use of passwords was the most used access control measure to enhance information technology security in their businesses, followed by smart cards and biometric access controls.
4.7.3 Experience of Unauthorized Access in the last one year
The hotels’ owners and managers were asked to indicate whether their businesses had
experienced unauthorized access in the last one year. The results were as shown in Figure 4.12.
From the findings, 57.6 percent of the hotels’ owners and managers indicated that their businesses had experienced unauthorized access in the last one year while 42.4 percent disagreed. This implies that most of the businesses had experienced unauthorized access in the last one year.
4.7.4 Measures of Access Control
The hotels’ owners and managers were queried on the extent to which various access control measures influence the performance of SMEs in Kenya. The results were as presented in Table 4.6.
Table 4. 6: Aspects of Access Control
Mean Std. Deviation
Passwords 4.030 .922
Biometric access controls 3.799 .800
Smart cards 3.674 .628
Average 3.834 .783
Source: Research Data (2016)
As indicated in Table 4.6, the hotels’ owners and managers indicated with a mean of 4.030 and a standard deviation of 0.922 that passwords influence the performance of SMEs in Kenya to a great extent. The hotels’ owners and managers also indicated with a mean of 3.799 and a
to a great extent. These findings correspond with Upfold and Sewry (2008) argument that the use of passwords, biometric access controls and smart cards influences the performance of SMEs.
4.7.5 Influence of Access Control on the Performance of SMEs
The hotels’ managers and owners were requested to indicate how else access control influences
the performance of SMEs in Kenya. They noted that it increases confidence to use the system, maintains the integrity of the system, safeguards the system and keeps off unauthorized persons. These findings agree with Yeniman (2011) argument that access control ensures that only authorized personnel should have access to computing resources, which enhances the availability, confidentiality and integrity of computing programs and data.
4.8 Performance of SMEs
The hotels’ managers and owners were queried on the extent to which information technology
security influences the performance of SMEs in Kenya. The results were as shown in Table 4.7.
Table 4. 7: Performance of SMEs
Mean Std. Deviation
Sales volume 3.825 .789
Profitability 3.935 .729
Customer satisfaction 4.200 .785
Number of customers 4.037 .817
Average 3.999 .78
As portrayed in Table 4.7, the hotels’ managers and owners indicated with a mean of 4.200 and a standard deviation of 0.785 that information technology security influences customer satisfaction to a great extent. The hotels’ owners and managers also indicated with a mean of 4.037 and a
standard deviation of 0.817 that information technology security influences number of customers to a great extent. The respondents also indicated with a mean of 3.935 and a standard deviation of 0.729 information technology security influences profitability to a great extent. Also, the respondents agreed with a mean of 3.825 and a standard deviation of 0.789 that information technology security influences sales volume to a great extent.
4.9 Regression Analysis
The study used a multivariate regression analysis to determine the relationship between the dependent and the independent variables. The multivariate regression model was:
Y = β0 + β1X1 + β2X2 + β3X3 + β4X4+ε
Whereby Y was Performance of SMEs, X1 was Information technology policies, X2 was
Information technology awareness and training, X3 was system monitoring and maintenance, X4
was Access control and ε was the error term.
Table 4. 8: Regression Coefficients
Model Unstandardized
Coefficients
Standardized Coefficients
t Sig.
B Std. Error Beta
1 (Constant) .219 .312 .702 .483
Information technology awareness and training
.299 .040 .343 7.471 .000
System monitoring and maintenance
.107 .041 .117 2.632 .009
Access control .358 .060 .288 6.005 .000
a. Dependent Variable: Performance of SMEs Source: Research Data (2016)
From Table 4.10, there is a positive significant relationship between information technology policies and the performance of SMEs with a regression coefficient of 0.435. This shows that a unit improvement in information technology policies would lead to a 0.435 improvement in the performance of SMEs. The p-value (0.00) was less than the significance level (0.05), hence the relationship was significant. These findings agree with Kimwele, Mwangi and Kimani (2011) findings that IT security policies positively influence organizational performance of SMEs.
The results also show that there is a positive significant relationship between information technology awareness and training and the performance of SMEs with a regression coefficient of 0.299. This shows that a unit improvement in information technology awareness and training would lead to a 0.299 improvement in the performance of SMEs. The relationship was significant as the p-value (0.000) was less than the significance level (0.05). These findings concur with Dinev and Qing (2007) findings that IT security awareness and training influences organizational performance.
0.107. This indicates that a unit improvement in systems monitoring and maintenance would lead to a 0.107 improvement in the performance of small and medium enterprises. The relationship was found to be significant as the p-value (0.001) was less than the significance level (0.05). These findings concur with Ogalo (2012) findings that systems monitoring and maintenance and the performance of SMEs.
Lastly, the study results show that there is a positive significant relationship between access control and the performance of small and enterprises with a regression coefficient of 0.358. This indicates that a unit improvement in access control would lead to a 0.358 improvement in the performance of SMEs. This relationship was significant as the p-value (0.005) was less that of the significance level (0.05). These findings concur with Rui-Feng (2012) findings that access control significantly influences the performance of SMEs.
Table 4. 9: Model Summary
Model R R Square Adjusted R Square Std. Error of the Estimate
1 .730a .533 .526 .42626
a. Predictors: (Constant), Access control , System monitoring and maintenance, Information technology awareness and training , Information technology policies
Source: Research Data (2016)
factors not considered in this study explain 46.7 percent of the variation in the dependent variable, performance of SMEs.
Table 4. 10: Analysis of Variance
Model Sum of Squares Df Mean Square F Sig.
1 Regression 53.690 4 13.422 73.871 .000b
Residual 47.060 259 .182
Total 100.750 263
a. Dependent Variable: Performance of SMEs
b. Predictors: (Constant), Access control , System monitoring and maintenance, Information technology awareness and training , Information technology policies
Source: Research Data (2016)
CHAPTER FIVE
SUMMARY, CONCLUSIONS AND RECOMMENDATIONS 5.1 Introduction
This chapter presents a discussion of the findings, conclusions drawn from the findings, recommendation and suggestions for further studies. The conclusions and recommendations were aimed at addressing the general objective of the study, which was to investigate the effect of information technology security practices on the performance of SMEs in Nairobi County.
5.2 Summary
